ACH Legal Ruling Favors Bank

A magistrate has recommended that a U.S. District Court in Maine deny a motion for a jury trial in an ACH fraud case filed by a commercial customer against its former bank. According to the order, which must still be reviewed by the presiding judge, the bank fulfilled its contractual obligations for security and authentication through its requirement for log-in and password credentials.

Now Mark Patterson, president of PATCO Construction Inc., the commercial customer in the case, says he's weighing his legal options. "Things are not always fair, and we have to decide how long we want to fight the fight," Patterson says. "We do feel very strongly about this issue, but how far do we want to go?"

At issue for PATCO is whether banks should be held responsible when commercial accounts, like PATCO's, are drained because of fraudulent ACH and wire transfers approved by the bank. How much security should banks and credit unions reasonably be required to apply to the commercial accounts they manage?

"Obviously, the major issue is the banks are saying this is the depositors' problem," Patterson says, "but the folks that are losing money through ACH fraud don't have enough sophistication to stop this."

PATCO Primer

In May 2009, PATCO, a construction company based in Maine, had its account taken over by cyberthieves, after malware hijacked online banking log-in and password credentials for the commercial account PATCO held with Ocean Bank. More than $500,000 in fraudulent ACH transactions from PATCO's account was approved for transactions by the bank.

The business was able to recover only $230,000 of the stolen funds, but sued Ocean Bank for failing to detect and prevent the bogus transfers.

PATCO sued Ocean Bank in 2010, and the bank quickly responded with motions to seal court documents and request a summary judgment. [Ocean Bank is owned by bank corporation People's United Bank.] The magistrate who recently reviewed the case now recommends that the cross motions filed by PATCO and Ocean Bank be considered moot.

David Navetta, an attorney who specializes in IT security and privacy, says the magistrate's recommendation, if accepted by the judge, could set an interesting legal precedent about the security banks are expected to provide. And unless PATCO disputes the order, Navetta says it's unlikely the judge will overrule the magistrate's findings. PATCO has between 14 and 21 days to respond.

"Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security, and that companies need not be at the cutting edge of security to avoid liability," Navetta says. "The court explicitly recognizes this concept, and I think that is a good thing: For once, the law and the security world agree on a key concept."

Bank's Security 'Not Optimal'

In the disposition, the court notes that Ocean Bank's security could have been better. "It is apparent, in the light of hindsight, that the Bank's security procedures in May 2009 were not optimal," the order states. "The Bank would have more effectively harnessed the power of its risk- profiling system if it had conducted manual reviews in response to red flag information instead of merely causing the system to trigger challenge questions."

But since PATCO agreed to the bank's security methods when it signed the contract, the court suggests then that PATCO considered the bank's methods to be reasonable, Navetta says. The law also does not require banks to implement the "best" security measures when it comes to protecting commercial accounts, he adds.

"Patco in effect demands that Ocean Bank have adopted the best security procedures then available," the order states. "As the Bank observes, that is not the law."

"The court took a fairly literal approach to its analysis and bought the bank's argument that the scheme being used was multifactor, as described in the [FFIEC] guidance," Navetta says. "The analysis on what constitutes multifactor and whether some multifactor schemes [out of band; physical token] are better than others was discussed, and, to some degree, the court acknowledged that the bank's security could have been better. Even so, it was technically multifactor, as described in the FFEIC guidance, in the court's opinion, and "the best" was not necessary."

Navetta says the court's view of multifactor does not jibe with common industry understanding. Most industry experts, he says, would not consider Ocean Bank's authentication practices in 2009 to be true multifactor. "Obviously, the 'something you have' factor did not fully work if hackers were able to remotely log into the bank using their own computer," he says. "I think that PATCO's argument was the additional factors were meaningless since the challenge question was always asked anyway, and apparently answering it correctly worked even if one of the factors failed. In other words, it appears that PATCO was arguing that the net result of the other two factors failing was going back to a single factor."

Other corporate account takeover cases, which also involved fraudsters' ability to get around transactional authentication, include:

Experi-Metal Inc., which in December 2009 sued its former bank, Comerica, after losing more than $550,000 in fraudulent wire transfers;

Hillary Machinery, which in January 2010 was sued by its bank, PlainsCapital Bank, after a legal battle over ACH fraud liability. The suit was later settled for undisclosed terms;

The Catholic Diocese of Des Moines, Iowa, which in August lost $600,000 in fraudulent ACH transactions.

For Patterson, the court's lack of knowledge about the prevalence of keylogging malware, such as Zeus, crippled the magistrate's ability to sufficiently evaluate the merits of the case. "The magistrate says the bank had dual authentication because they had a password and a challenge question; but anyone who understands the system knows that is not really dual authentication," he says.

Regardless of how the court ultimately falls on the multifactor debate, Navetta says the court closely aligned its decision with online authentication guidance recommended by the FFIEC. "The FFEIC guidelines were hugely important in this case, and the bank was able to point to the fact that its multifactor authentication scheme was designed with those guidelines in mind," he says.

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.